Ivan Jager wrote:
qemu-make-debian-root will continue running even if mkdir failed.
Dmitry said the script has -e set - if so the script will not continue running if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file || true).
Also, assuming qemu-make-debian-root is running with PID 1234, an attacker is free to change the /tmp/mount.1234 symlink during the execution of the script. If /tmp/mount.1234 is linked to /etc/, the script will mount the freshly created filesystem image on top of /etc, making a lot of programs very sad.I don't think these attacks are possible if the script aborts when mkdir fails. mkdir won't succeed if there is a symlink.An attacker could then change the symlink such that debbootstrap will install anywhere he wants. (which may allow him to overwrite some files, but I haven't looked closely at debbootstrap.)
In any case, doing something better would be good because it means an attacker can't run a denial-of-service type attack and prevent the script from running.
Brian May